Free CISA Cheat Sheet 2026: Azure Fundamentals Quick Reference

IS Auditing Process

18%of exam

StandardsRisk-Based PlanningSamplingEvidenceReporting

Governance + Management

18%of exam

IT StrategyPoliciesERMPrivacyVendor Risk

Acquisition + Implementation

12%of exam

Business CaseSDLCControl DesignTestingMigration

Operations + Resilience

26%of exam

ITSMChangeLogsBIADRP

Asset Protection

26%of exam

IAMNetwork SecurityEncryptionCloudIncident Response

Quick Facts

Exam: CISA
Credential: Certified Information Systems Auditor
Questions: 150 MCQ
Time: 4 hours
Pass: 450/800 scaled
Domains: 5
Owner: ISACA
Delivery: PSI test or remote
Experience: 5 years

Finding Formula

Criteria, condition, cause, effect, recommendation

What should beWhat existsWhySo what

Audit vs Assessment

Audit

Independent assurance
Formal opinion
Evidence driven

Assessment

Control review
Less formal
Improvement focused

Assurance vs review

Evidence Picker

Need population coverage→CAATs(Full data)
Need control proof→Reperformance(Direct evidence)
Need process behavior→Observation(Live control)
Need owner context→Inquiry(Weak alone)
Need defect estimate→Sampling(Confidence based)

Audit Planning

Charter: Authority and scope
Audit universe: Auditable entity list
Risk-based plan: Focus high risk
Materiality: Decision impact threshold
Scope: Audit boundary
Engagement letter: Formal audit notice

Audit Execution

Evidence: Sufficient and appropriate
Sampling: Population testing subset
CAATs: Automated audit testing
Observation: Watch control operation
Inquiry: Ask process owners
Reperformance: Independently repeat control

Reporting + Follow-Up

Finding: Condition vs criteria
Cause: Why gap exists
Effect: Business impact
Recommendation: Risk-focused action
Management response: Owner commitment
Follow-up: Verify remediation

Risk Chain

Asset plus threat plus weakness equals risk

Owner acceptsControls reduceResidual remains

Inherent vs Residual

Inherent

Before controls
Natural exposure
Baseline risk

Residual

After controls
Accepted by owner
Remaining exposure

Before vs after

Governance Picker

Set risk appetite→Board(Oversight)
Execute strategy→Management(Accountable)
Measure risk trend→KRI(Early warning)
Measure service value→KPI(Performance)
Outsource critical service→SLA(Monitor vendor)

IT Governance

Board: Strategic oversight
Executive management: Owns execution
IT strategy: Business alignment
Policy: Management direction
Standard: Mandatory requirement
Procedure: Step-by-step method

Policy vs Procedure

Policy

Management direction
High level
Mandatory intent

Procedure

Detailed steps
Operational method
Repeatable work

What vs how

Risk + Data

ERM: Enterprise risk program
Risk appetite: Accepted risk level
KRI: Risk trend signal
KPI: Performance measure
Data owner: Classifies data
Privacy: Personal data rules

Vendor Management

Due diligence: Assess before selection
SLA: Service commitments
Right to audit: Verification clause
Exit plan: Orderly transition
Fourth party: Vendor's vendor
SOC report: Control assurance

Project Controls

Business case, requirements, testing, signoff

Value firstTrace requirementsUsers accept

UAT vs System Test

UAT

Business users
Requirements fit
Acceptance decision

System test

Technical testers
Integrated behavior
Defect discovery

Business vs technical

Implementation Picker

Need business signoff→UAT(User acceptance)
Need low-risk rollout→Pilot(Limited users)
Need immediate switch→Big bang(High risk)
Need data integrity→Reconciliation(Counts/checksums)
Need benefits check→PIR(After go-live)

Project Governance

Business case: Value justification
Feasibility: Can succeed
Sponsor: Business owner
Steering committee: Project oversight
Requirements: Business needs
Traceability: Requirement test linkage

SDLC Controls

SDLC: Controlled system lifecycle
Agile: Iterative delivery
DevSecOps: Security integrated pipeline
Segregation: Dev/test/prod separation
Code review: Peer inspection
Change control: Approved modification

Implementation

UAT: Business acceptance test
Parallel: Old and new
Pilot: Limited rollout
Phased: Incremental rollout
Big bang: Single cutover
PIR: Benefits and lessons

Resilience Order

BIA sets RTO and RPO

BCP keeps businessDRP restores ITBackups support RPO

Incident vs Problem

Incident

Restore service
Immediate disruption
Workaround acceptable

Problem

Find root cause
Prevent recurrence
Known error path

Restore vs prevent

Resilience Picker

Prioritize processes→BIA(Impact first)
Maintain business→BCP(People/process)
Recover systems→DRP(Technology)
Set downtime limit→RTO(Time target)
Set data loss limit→RPO(Data target)

IT Operations

IT asset: Lifecycle managed resource
CMDB: Configuration item record
Job scheduling: Automated batch control
Capacity: Resource demand planning
Availability: Service uptime ability
Runbook: Operational procedure

BCP vs DRP

BCP

Business survival
Process continuity
BIA driven

DRP

IT recovery
Systems restoration
RTO/RPO driven

Business vs IT

Service Management

Incident: Service interruption
Problem: Root cause
Known error: Documented workaround
Change: Controlled modification
Patch: Vulnerability fix
Log management: Event evidence control

Resilience

BIA: Impact prioritization
BCP: Business continuity plan
DRP: IT recovery plan
RTO: Recovery time target
RPO: Data loss target
Backup: Recoverable data copy

Security Flow

Identify, protect, detect, respond, recover

Least privilegeMonitor logsPreserve evidence

Preventive vs Detective

Preventive

Stops event
Before loss
Access control

Detective

Finds event
After activity
Logs and alerts

Stop vs find

Security Picker

Verify identity→MFA(Stronger auth)
Limit access→Least privilege(Need only)
Protect data→Encryption(Confidentiality)
Detect attacks→SIEM(Correlation)
Preserve evidence→Forensics(Chain custody)

Asset Security

CIA: Security objectives
Classification: Sensitivity label
IAM: Identity access control
MFA: Multiple proof factors
Least privilege: Minimum needed access
DLP: Data leakage prevention

Scan vs Pen Test

Scan

Find weakness
Automated breadth
Low impact

Pen test

Exploit proof
Authorized attack
Scoped depth

Find vs exploit

Technical Security

Firewall: Traffic filtering
IDS: Detects suspicious activity
IPS: Blocks suspicious activity
Encryption: Confidentiality control
PKI: Certificate trust system
Cloud: Shared responsibility

Security Events

Awareness: User behavior control
Vulnerability scan: Weakness discovery
Pen test: Exploit validation
SIEM: Security log correlation
Incident response: Structured event handling
Forensics: Evidence preservation

Common Traps

Auditor vs manager

Auditor recommends ≠ Management owns action

Evidence vs opinion

Evidence supports finding ≠ Opinion needs proof

Risk appetite vs tolerance

Appetite is target ≠ Tolerance is variation

SLA vs OLA

SLA faces customer ≠ OLA is internal

Backup vs continuity

Backup restores data ≠ BCP keeps business

UAT vs approval

UAT tests fit ≠ Approval authorizes release

Authentication vs authorization

Authentication proves identity ≠ Authorization grants access

Encryption vs hashing

Encryption hides data ≠ Hash verifies integrity

Last Minute

1.Risk drives audit scope
2.Evidence before conclusions
3.Management owns remediation
4.Board sets risk appetite
5.Owner classifies data
6.Custodian implements controls
7.BIA precedes BCP/DRP
8.RTO equals downtime target
9.RPO equals data loss
10.Least privilege beats convenience
11.Logs need integrity protection
12.UAT confirms business fit

CISA

Practice Questions200 questions Study Guide Cheat Sheet Flashcards50 cards

2 blogs

CISA – Certified Information Systems Auditor Study Guide: Achieve CISA certification with practical examples and over 850 exam-oriented practice questions

$47.13 · Buy on Amazon

Take courses on Udemy

Learning path on Pluralsight

Flashcards on Mometrix

Same family resources

Explore More ISACA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

More From This Family

Videos and articles for deeper review.

ArticleCISA Exam Guide 2026: FREE ISACA Study Plan + Practice28 min read ArticleCRISC Exam Guide 2026: FREE ISACA Study Plan + Practice30 min read ArticleCISM Exam Guide 2026: FREE ISACA Study Plan + Practice30 min read ArticleCOBIT 2019 Foundation 2026: Governance-First Prep6 min read

CISA Cheat Sheet